Cybercrime and cyber security: Public-Private Partnership – WS 04 2009
14 September 2009 | 16:15-17:45
Programme overview 2009
Keywords and questions
How to build effective public-private partnerships to meet new and emerging threats? How do we increase robustness while, at the same time, limiting the impact of stress on IT infrastructure and services? What has to be done on global, what on regional and national level? How can we assure that privacy and freedom of expression are respected?
Workshop focus: Responsibilities of providers/operators. Ownership of works/content on social networking sites? Intellectual property, digital rights management. Digital identity. Storage of personal data. Are there user friendly business models? Respect for privacy as a business advantage? Dealing with identity theft, identity fraud, and information leakage. Dignity, security and privacy of children. Controlling one’s own data and data retention. Default privacy settings. How to delete profiles? The ethical dimensions of social networks. The use of social networking sites for political mobilisation.
What are the current issues in cyber security and cybercrime? How to build effective public-private partnerships to meet new and emerging threats? How do we increase robustness while, at the same time, limiting the impact of stress on IT infrastructure, services and users? What has to be done on global, what on regional and national level? How can we assure that privacy and freedom of expression are respected while security is enhanced at the same time?
There was reference to the prevention of crime with regard to child protection which, for example in the UK, is carried out by the blocking of child abuse (and other illegal content) sites and by protecting “innocent sites”. In the UK, the effectiveness of blocking schemes varies and blocking is performed by the industry against a list notification and is open to judicial challenge. There was general consensus that child abuse should be blocked. There was much less consensus on the blocking of other content which could require a different approach.
Audience participation highlighted an array of other issues which they believed to be priorities for action and/or intervention which included phishing, hotlines, malware, botnets and criminal money on the Internet.
The moderator commented on the “Internet Community” being quick to identify issues of crime and nuisance behaviour on the Internet (bullying, libel, interference with freedom of speech, identity theft, fraud and issues that undermine public confidence) in order to seek consensus on appropriate and proportionate responses. At the same time, he added, it is somewhat understandable that parliamentarians and governments feel pressured to legislate in response to public concern.
Online activities which are illegal offline might require a different response (even though that which is illegal offline is generally illegal online). The principle of proportionality in responding was raised. It was mentioned that laws rarely prevent what they forbid and, as a result, the private sector and users prefer to “design out crime”.
There was general agreement that strategies to fight cybercrime were needed and that they should be consistent with democratic principles, respect for the right to life and the rule of law.
The issue of data protection vs. authentication used to enhance security was addressed with particular reference to the threats to privacy and personal data and the threats to democracy and fundamental rights. At the same time, cybercrime was considered to be a major threat, and the anonymity of criminals and the lack of traceability of cyber attacks were highlighted as key problems. Authentication policies were considered to be inevitable. In response, in order to avoid such policies from undermining privacy and the protection of personal data it was proposed:
- Measures to fight cybercrime should be taken on the basis of existing treaties, in particular the Conventions on Cybercrime and on the Protection of Children against sexual exploitation and sexual abuse.
- Global trusted privacy and data protection policies and systems should be established, for example on the basis of the 108 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
- Trusted authentication systems should be put in place with privacy guarantees.
The theme of “new technology – new threats?” was discussed with reference to the potential impact of new technologies such as cloud computing, IPv6, DNS SEC, Web 3.0 on issues of cybercrime and cyber security including their capacity to provide potential solutions.
In the concluding session, there was reflection on the lessons learned regarding legislation and crime prevention in the offline world, in particular it was suggested:
- There was a need to be creative in framing appropriate and proportionate responses,
- The best approaches often started by involving users and those who understand the environment and/or the technology relevant to the problem, and
- The need to start by understanding the problem and sharing perspectives with all stakeholders.
It was stressed that interventions and legislation do not always follow these suggestions and that there is a need to develop a new model of “co-operative regulation” (stakeholder regulation). Further, it was stated that there should not be an assumption that an approach that worked in one context (e.g. blocking of child abuse sites) would work in another context. Consequently, proper analysis and research was underlined in order to show whether interventions had successfully dealt with the problems they were intended to address. Agreed principles (e.g. those emanating from Council of Europe Conventions) were encouraged wherever possible rather than developing new or narrower legislative approaches.